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Abstract 

We describe a structured system for distributed mecha- 
nism design. It consists of a sequence of layers. The lower 
layers deal with the operations relevant for distributed com- 
puting only, while the upper layers are concerned only with 
communication among players, including broadcasting and 
multicasting, and distributed decision making. This yields 
a highly flexible distributed system whose specific applica- 
tions are realized as instances of its top layer. 

This design supports fault-tolerance, prevents manipula- 
tions and makes it possible to implement distributed polic- 
ing. The system is implemented in Java. We illustrate it by 
discussing a number of implemented examples. 



1 Introduction 



1.1 Background and motivation 



Mechanism design is an important area of economics. It 
aims at realizing economic interactions in which desired so- 
cial decisions result when each agent is interested in max- 
imizing his utility. The traditional approach relies on the 
existence of a central authority, who collects the informa- 
tion from the players, computes the decision and informs 
the players about the outcome and their taxes. 

Recently, in a series of papers distributed mechanism 
design was suggested as a realistic alternative for the ap- 
plications based on the Internet. In this setting no central 
authority exists and the decisions are taken by the players 
themselves. The challenge here is to appropriately combine 
the techniques of distributed computing with those that deal 
with the matters specific to mechanism design, notably ra- 
tionality and truth-telling. 
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1.2 Related work 

A number of recent papers deal with different aspects of 
distributed mechanism design. An influential paper J5) in- 
troduced the notion of distributed algorithmic mechanism 
design emphasizing the issues of computational complexity 
and incentive compatibility in distributed computing. Next, 
J9) studied the distributed implementations of the VCG 
mechanism. However, in their approach there is still a cen- 
ter that is ultimately responsible for selecting and enforcing 
the outcome. 

The authors of ifTTl considered the problem of creating 
distributed system specifications that will be faithfully im- 
plemented in networks with rational (i.e., self-interested) 
nodes so that no node will choose to deviate from the speci- 
fication. Researchers of iflOl introduced the first distributed 
implementation of the VCG mechanism. The only central 
authority required was a bank that is in charge of the com- 
putation of taxes. The authors also discussed a method to 
redistribute some of the VCG payments back to players. 

1.3 Contributions 

In this paper we propose a platform for distributed mech- 
anism design. Our work is closest to ifTOl whose approach 
is based on distributed constraint programming. In contrast, 
our approach builds upon a very general view of distributed 
programming, an area that developed a variety of techniques 
appropriate for the problem at hand. 

Our platform is built out of a number of layers. This 
leads to a flexible, hierarchical design in which the lower 
layers are concerned only with the matters relevant for dis- 
tributed computing, such as communication and synchro- 
nization issues, and the upper layers that deal with the rele- 
vant aspects of the mechanism design, such as computation 
of the desired decision and taxes. Any specific application 
is realized simply as an instantiation of a top layer. This 
layered architecture offers a number of novel features and 
improvements to the approach of ifTOl . to wit 

• we deal with a larger class of mechanisms, notably 
Groves mechanisms. Additionally, we can easily tai- 
lor our platform to other tax-based mechanisms, such 
as Walker mechanism (see lfl2l ). 



• we support open systems in which the number of play- 
ers can be unknown, 

• the bank process of iflOl is replaced by a weaker tax 
collector process. It is needed only for the mechanisms 
that are not balanced, wherein it is a passive process 
used only to receive messages to collect the resulting 
deficit, 

• fault-tolerance is supported, both on the message 
transmission level and on the player processes level, 

• a multi-level protection against manipulations is pro- 
vided, 

• our platform makes it possible to implement dis- 
tributed policing that provides an alternative to a 'cen- 
tral enforcer' whose responsibility is to implement the 
outcome decided by the agents and collect the taxes 
(see, e.g., page 366]). 

Fault-tolerance at the mechanism design level means 
that the final decision and taxes can be computed even af- 
ter some of the processes that broadcast the player's types 
crash: the other processes then still can proceed. This is 
achieved by the duplication of the computation by all play- 
ers. Such a redundancy is common in all approaches to 
fault-tolerance (and also used to prevent manipulations, see 
lU page 366]). It was intentionally avoided in IflOl which 
aimed at minimizing the overall communication and com- 
putation costs. In our approach it allows the fastest process 
to 'dominate' the computation and move it forward more 
quickly. 

Our platform can be easily customized to real-life ap- 
plications. Using it players can engage in joint decision 
making by dynamically forming a network with no central 
authority, in which they know neither their neighbours nor 
the size of the network. Also it can be used for a repeated 
distributed decision making process, each round involving 
a different group of interested players. This design is im- 
plemented in Java. 

Finally, a few words about the paper organization. In 
the next section we review the basic facts about the tax- 
based mechanisms, notably the Groves family of mecha- 
nisms. Then in Section [3] we discuss the issues that need 
to be taken care of when moving from the centralized tax- 
based mechanisms to distributed ones and what approach 
we took to tackle these issues. The details of our design and 
implementation are provided in Section|4] 

Next, in Section [5] we discuss three important advan- 
tages of our design: security, distributed policing and fault- 
tolerance. In Section|6]we discuss a number of examples of 
mechanisms that we implemented using our system. They 
include Vickrey auction with redistribution, two types of 
auctions and a sequential mechanism design. Then, in Sec- 
tion [7] we provide conclusions. 



2 Preliminaries: mechanism design 

We recall here briefly tax-based mechanisms, see, e.g., 
Chapter 23]. Assume a set of decisions D, a set 
{1, . . . , n} of players, for each player a set of types 0; and 
a utility function Vi : D x Qj — > 1Z. In this context a type 
is some private information known only to the player, for 
example a vector of player's valuations of the items for sale 
in a multi-unit auction. 

A decision rule is a function / : G — > D, where := 
©i x • • • x n . We call the tuple 

(£>,©!, • • • >@n,«l, • • • ,V„,f) 

a decision problem. 

A decision rule / is called efficient if for all 9 £ © 

n 

f(0) e argmax de£) 2J Vj(d, 6j), 
i=i 

and strategy-proof (or incentive compatible) if for all 9 G 

6,!G{l,...,n} and 9[ e 0, 

v l (f(9 l ,9_ l ) 1 9,)>v l (j(9' ll 9^),9 l ), 
where 0_< :=(9 X ,..., 0;_i, m , #«) and (fl{, := 

(01, . . . , di-l, 9[, 9i+l, . . . , 9n), 

In mechanism design one is interested in the ways of 
inducing the players to announce their true types, i.e., in 
transforming the decision rules to the ones that are strategy- 
proof. In tax-based mechanisms this is achieved by extend- 
ing the original decision rule by means of taxes that are 
computed by the central authority from the vector of the 
received types, using players' utility functions. 

Given a decision problem, in the classical setting, one 
considers then the following sequence of events, where / is 
a given, publicly known, decision rule: 

(i) each player i receives a type 9i, 

(ii) each player i announces to the central authority a type 
9[; this yields a joint type 9' := {9[,. . . , 9' n ), 

(iii) the central authority then computes the decision d := 
f(9') and the tax vector t := g(6'), where g : © -> TZ" 
is a given function, and communicates to each player i 
the decision d and his tax ij. 

(iv) the resulting utility for player i is then m(d,t) := 
Vi(d,9i)+ti. 

Each Groves mechanism is obtained using g(9') := 
(ti(9'),...,t n (9')), where for alii e{l,...,n} 

. u(9>) ■.= h i (e>_ i ) + Y2=iVi(f{no' j )> 

• hi : 0_j — > K is an arbitrary function. 



The importance of the Groves mechanisms is revealed 
by the following crucial result. 

Groves Theorem Suppose the decision rule / is efficient. 
Then in each Groves mechanism the expanded decision rule 
(f,g) ■ 6 — > D x lZ n is strategy-proof w.r.t. the utility 
functions m, . . . , u n . 

When for a given tax-based mechanism for all 6' we have 
E"=i W) < (respectively, £™ =1 h{6') = 0), the mech- 
anism is called feasible (respectively, budget balanced). 
A special case of a feasible Groves mechanism, called 
Vickrey-Clarke-Groves mechanism (in short VCG) is ob- 
tained by using h l {6'_ l ) := - m&XdeD J2j^i v q{^ So 
then 

e — ' d£D J 

3 Our approach 

In our approach we relax a number of the assumptions 
made when introducing mechanism design. More specifi- 
cally we assume that 

• there is no central authority, 

• players interested in participating in a specific mech- 
anism register to join an open system wherein that 
mechanism runs, 

• the players whose registration is accepted (request the 
underlying distributed communication layer to) broad- 
cast their type to other players in the system, 

• once a registered player learns that he has received the 
types from all registered players, he computes the de- 
cision and the taxes, sends this information to other 
registered players and terminates his computation. 

As in all cited works, we also assume that there is no col- 
lusion among the players. This leads to an implementation 
of the mechanism design by means of distributed processes. 
The computation of the decision and of the taxes is carried 
out by the players themselves. 

In our approach each player is represented by a process, 
in short a player process. A player who wishes to join a spe- 
cific mechanism (e.g., an auction) must register with a local 
registry. Local registries are linked together in a network 
that satisfies the full reachability condition. 

Once player process registration is successful, it joins 
the network of (registry and player) processes wherein a 
generic broadcast command is available. The implemen- 
tation of this command relies only on the assumption that 
for each pair of players there is a path of neighbouring pro- 
cesses connecting them. This allows us to deal with arbi- 
trary network topologies in a simple way. The broadcast 
messages are transmitted through paths managed in a lower 



layer which the player processes cannot access. This au- 
tomatically prevents manipulation by player processes of 
messages originating from or destined for other players, a 
problem pointed out e.g. in J4j page 366]. 

Each player process after broadcasting the player's type 
participates in a distributed termination detection algo- 
rithm (see, e.g., [H) the aim of which is to learn whether 
all players have indeed broadcast their types. If this algo- 
rithm detects termination, the player process knows that he 
indeed received all types, and in particular can determine at 
this stage the number of players. More generally, we use 
the distributed termination detection algorithm to detect the 
end of each phase of the distributed computation: registra- 
tion, type broadcast, etc., i.e., for barrier synchronization, 
see, e.g., El- 
Each player process uses the same, publicly known, de- 
cision rule / that he learns, for example from a public bul- 
letin board, and as a result computes the same decision. 
Further, each player process applies / to the same input 
8' and computes the same tax scheme tax{t\), . . . tax(t n ) 
from the tax vector (ti, . . . ,t n ), where tax(tj) specifies 
the amounts that player j has to pay to other players and 
possibly the tax collector from his tax tj . All tax schemes 
tax(ti), . . . tax(t n ) then determine 'who pays how much 
to whom' . The tax collector process is only needed for the 
mechanisms that are not budget balanced. 

4 Implementation 

Our distributed mechanism design system is imple- 
mented in Java and consists of about 12.5 K lines of Java 
code. The implementation follows the guidelines explained 
in the previous section. Figure Q] shows the overall archi- 
tecture of our system and the different layers of software 
used in its implementation. Each entity in this architecture 
communicates, either through function calls or method in- 
vocations, only with its adjacent entities. Specific applica- 
tions are realized by instantiating the crucial player process 
layer. 

Low Level Communication The Low Level Communi- 
cation (LLC) layer supports (1) locally generated, glob- 
ally unique process identifiers, and (2) reliable non-order- 
preserving, asynchronous, targeted communication, exclu- 
sively through the exchange of passive messages between 
processes. The only means of communication between pro- 
cesses in LLC is through message passing, where no trans- 
fer of control takes place when messages are exchanged. 

Successful send simply means that the message has been 
dispatched on its way to its specified target. 

BTTF The Back To The Future (BTTF) layer implements 
a message efficient, fault-tolerant distributed termination 
detection (DTD) algorithm, on top of the LLC layer. The 
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Figure 1. Implementation architecture 



details of the BTTF DTD algorithm lie beyond the scope of 
this paper and will be described elsewhere. 

All DTD algorithms determine termination using waves 
of special control messages, called tokens. They also re- 
quire the designation of a single process as the initiator, 
which is responsible for initiating the waves. In the BTTF 
algorithm, the initiator is anonymous, i.e., no process (other 
than the initiator) knows who the initiator is. 

The DTD functionality provided by the BTTF layer can 
be used for barrier synchronization as well as for termina- 
tion detection. 

High Level Communication and Registry The High 
Level Communication (HLC) layer provides indirect, 
anonymous communication among the players in a dis- 
tributed system. It includes a number of local registries 
whose mutual connectivity supports the full connectivity of 
the players necessary for broadcast. A player must sign-in 
at a local registry, after which it can use the other operations 
provided by the HLC layer to take part in the mechanism. 

Each local registry is responsible for processing the reg- 
istrations of the player processes according to the assumed 
registration criteria. 

Player Process Specific applications are implemented us- 
ing this top layer. It is built on top of the HLC layer and is 
used to implement specific actions of the players, in partic- 
ular the computation of the decisions and taxes. 

Tax Collector Software Interface This layer is built on 
top of the HLC layer and provides the counterparts of the 
functions of the HLC layer to deal with the tax collector 
process registration. 

Tax Collector Process This layer is built on top of the 
Tax Collector Software Interface layer and is used to imple- 
ment the actions of the tax collector which is in charge of 
collecting players' taxes. We omit the details. 



Player GUI The interaction between the player (user) and 
the system is realized in this interface. The interaction is 
limited to the registration, type submission and tax recep- 
tion. 

5 Security, Distributed Policing and Fault- 
tolerance 




Figure 2. A realization of the platform 

Figure |2] shows a mapping of the architectural elements 
described in the previous section to 'logical hosts'. The 
mapping is dynamic and hence unknown to players. In 
any concrete implementation one or more such logical hosts 
can represent the same actual physical host. The commu- 
nications network, represented by the cloud shape, inter- 
connects a number of hosts to provide the functionality de- 
scribed in the LLC layer in Section [4] The specific hosts 
connected to this network that concern us are a set of gate- 
way hosts that run the BTTF and the HLC layers. 

The ring of hosts around the core in Figure [2] contains 
the set of hosts that run the local registries. Every local 
registry has a primary connection to a gateway host in the 
core. Thus, the full reachability of the gateway hosts in the 
core ensures full reachability among local registries. 

The next ring of hosts in Figure|2]contains hosts that run 
player processes. Each player process establishes an initial 
link (dotted lines) with a local registry (whose address it 
obtains from a local forum) to register. As part of this reg- 
istration process, its local registry provides the address of a 
gateway host with which the player process then establishes 
its primary communication link (solid lines) for the rest of 
the game. Finally, the outermost ring in Figure |2] consists 
merely of computers that run GUI programs that link to 
their respective player processes. 



This 'ring structure' provides multiple forms of protec- 
tion against manipulations by the players. The only mes- 
sages that pass through a player process are the ones orig- 
inating from or destined for that specific player. Further- 
more, the end users have physical access only to the outer- 
most hosts that run the GUI programs, which severely re- 
stricts the range of their potentially dangerous actions. Fi- 
nally, the separation of the GUI programs from the player 
processes allows us to run the latter on hosts to which end 
users do not have physical access. Users can trust the se- 
curity of the messages they exchange through a 'public' 
communications system, by relying on the encryption of the 
messages using the public key cryptography. 

A dishonest user may attempt to alter the code of a player 
process so that it sends to some players a falsified decision 
or a falsified tax scheme. By policing we mean here a se- 
quence of actions that will lead to the exclusion of such 
processes (that we call dishonest). The qualification 'dis- 
tributed' refers to the fact that the policing is done by the 
player processes themselves, without intervention of any 
central authority. We call a player process honest if it mul- 
ticasts a true tax scheme. 

The difficulty in implementing distributed policing lies 
in the fact that dishonest processes may behave inconsis- 
tently. To resolve this problem we make use of registries 
that are assumed to be reliable. We then modify the se- 
quence of actions of each player process so that it always 
computes the decision and the tax scheme but sends them 
only to its local registry. The local registry then dispatches 
the tax scheme on behalf of its sender to all player processes 
mentioned in the tax scheme. As a trusted intermediary, 
the registry ensures that the same tax scheme is sent to all 
player processes involved, and that no player process can 
send more than one tax scheme in a single phase. 

The BTTF algorithm in the BTTF layer detects persis- 
tent process failures. The duplication of the computation by 
all players allows us to easily modify the design to support 
fault-tolerance at the mechanism design level. 

6 Examples 

We used our distributed mechanism design system in a 
number of test cases that we now briefly describe. Each 
of them, is implemented as an instantiation of the player 
process layer described in Section [4] 

Vickrey auction with redistribution In Vickrey auction 
there is a single object for sale which is allocated to the 
highest bidder who pays the second highest bid. We im- 
plemented the proposal of [5] in which the highest bidder 
redistributes some amounts from his payment to other play- 
ers. This minimizes the overall tax. Due to space limitations 
we omit the details. 



Unit demand auction In this auction multiple items are 
offered for sale. We assume that there are n players and 
m < n items and that each player submits a valuation for 
each item. The items should be allocated in such a way that 
each player receives at most one of them and the aggregated 
valuation is maximal. This auction can be modelled as the 
following decision problem: 

V({l,...,m}) 



Vi{d,9i) := 



• D = {/ | / 

{l,...,n},/isl-l}, 

• Qi = 1Z™; ■ ■ ■ , 0i, m ) G 6j is a vector of player 
i's valuations of the items for sale, 

6ij if d(j) = i 

o' i£->3jd(j)=i 

• f{6') G axgTi&x deD J2jedom(d) e d{j),j- 

Decision rule / is efficient, so Groves Theorem ap- 
plies. The decisions are computed using the Kuhn-Munkres 
algorithm to compute the maximum weighted matching, 
where the weight associated with the edge (j, i) is the 
valuation for item j reported by player i. In our im- 
plementation we used the Java source code available at 
|http : / / adn . cn/blog/ article. asp?id=4 9| To 
compute tax for player i according to the VCG mechanism 
this algorithm needs to be used again, to compute the max- 
imum weighted matching with player i excluded. 

Single minded auction In this auction studied in |6j there 
are n players and m items, with each player only interested 
in a specific set of items. For simplicity we assume that each 
player i is only interested in a subsequence cti, . . . , bi of the 
items 1, ... ,to. We model this as the following decision 
problem: 

. D = {f\f:V({l,...,m})^{l,...,n}}, 

• O, = TZ+; 9i G Qi is player i's valuation for the se- 
quence at, . . . , bi of the items, 

6i if Vj G [dj, ...,bi] d(j) = i 
otherwise 

• /(<?') G argmax deD X; i :d([a I ,...,f> I ])=m 6 '*' 
where d([a i; . . . , bi]) = {d(j) | j G [a u ■ ■ ■ , h]}. 

So, given an allocation / G D the goods in the set 
{k | f(k) = j} are allocated to player j. Decision rule 
/ is efficient and consequently Groves Theorem applies. 
The computations of the decision and of the taxes involve 
constructions of the maximum weighted matchings that are 
computed using a dynamic programming algorithm, details 
of which are omitted. 

Other applications To test the versatility of our approach 
we also implemented a number of other examples, includ- 
ing Vickrey auction, decision making concerned with public 
projects (see Q Chapter 23]), sequential Groves mecha- 
nisms studied in Q, and Walker mechanism of 0121 . The 
latter mechanism is not an instance of Groves mechanism 
and implements the decision not in dominant strategies but 
in a Nash equilibrium (see, e.g., J7J). 



Vi{d,0i) := 



7 Conclusions 

We described here the design and implementation of a 
platform that supports distributed mechanism design. We 
believe that the proposed platform clarifies how the de- 
sign of systems supporting distributed decision making can 
profit from sound principles of software engineering, such 
as separation of concerns and hierarchical design. 

We found that the division of the software into layers re- 
sulted in a flexible design that could be easily customized 
to specific mechanisms. For example, our distributed im- 
plementation of Vickrey auction required modification of a 
module of only 60 lines of code. Additionally, this layered 
architecture offers a multi-level protection against manipu- 
lations, distributed policing and supports fault-tolerance. 

We also provided evidence that software engineering in 
the area of multi-agent systems can profit from the tech- 
niques developed in the area of distributed computing, for 
example broadcasting in an environment with an unknown 
number of processes, distributed termination and barrier 
synchronization. 
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